We help IT Professionals succeed at work.






NetScaler is the industry’s leading web and application delivery controller that maximizes the performance and availability of all applications and data, and also provide secure remote access to any application from any device type. NetScaler products are easily selected by determining the edition providing functional needs and the appropriate physical or virtual appliance platform to fulfill performance needs.

How to replace a WildCard .pfx file in Citrix NetScaler with another Wildcard .pfx file?

The WildCard certificate instlaled and used with our Citrix NetScaler and Citrix Systems is about to expire.  I see that the current system is using a .pfx file and that seems to be the easiest way to keep everything together.

In the past(other employers) it seems that using a wild card certificate was not very easy and it was always confusing.  My question is "How to create a .csr and obtain a new WildCard SSL/TLS certificate from a Certificate Authority to use on the NetScaler and the SotreFront Server?

I have an idea from: https://www.carlstalhood.com/netscaler-12-certificates/ but I wanted to verify my information from someone who has done this successfully  in the past.  Should I do the following or perhaps a varaiotn of the follwoing(What is best design)?

1).  Create an RSA (Private Key) from the NetScaler.
       a.  Reference: https://www.carlstalhood.com/netscaler-12-certificates/
       b.  Specifically search for the section: To create a key pair on NetScaler
            Configuration - Traffic Management - SSL - SSL Files -  KEYs
       c.  Keep the private key 'Un-Encrypted' ????
       d.  and follow on-screen instructions.

2.  Then create a CSR from the NetScaler - Configuration - Traffic Management - SSL - SSL Files -  CSRs
       a.  Reference: https://www.carlstalhood.com/netscaler-12-certificates/
       b.  Specifically search for the section: …
Citrix Xeanapp desktop windows 2008.

Our users connect citrix over Web browser https://mycitrix.domain.com.(netscaller)  webpage ask username and password for login  We want second Autentication TOKEN. We generate Token from Mobile app.but we do not know we can login page change and add this Token login space .

How can i add on this web login :

Token password :

I have created CSR on Citrix Netscaler(.pem key format)
and public CA gives me option when uploading CSR to choose:

Does any of this technology gives back .pem format certificate to install?

e.g. digicert has Citrix option but I have rapidssl public CA
Any advice what is the best way to complete the process of cert installation.
Does Citrix netscaler need .pem certificate to upload?
According to this article pem format is: .pem,.crt and .ca-bundle

Thank you
OUr Citrix NetScaler VPX is using an SSL Certificate Wildcard and this Wildcard Certificate will expire soon.  We have a new WildCard Certificate from a CA; but, I am not sure how to repalce the currently used certificate with the new one.

I have found a few web sarticles giving me and idea; but, I do not believe they are exactly relevant to my situation.

For example, this video show how to import a Certificate from a local Active Directory network.  But it does not show how to bind it to the Load Balancing server: https://www.youtube.com/watch?v=px2Twok4UI8 

I am not sure if I need to convert the certificate or link it to an intermediate certificate or not.  Anyone with experience?  

Lets assume that that the new wildcard is configured in .pfx format and it is combines the server certificate with the intermediate certificate.

need to install 3rd party certificate on the Citrix Netscaler.
I know procedure to create CSR but I’m not sure about the part when it comes to submit CSR to CA.What type of certificate should I get out after submit to CA? .PEM cert?Does publi CAs provide .PEM certs?
I currently have a Citrix NetScaler VPX 200 and I would like to enable 2 factor authentication. I'm new to setting up 2FA and any advice would greatly be appreciated.

The goal is to have the user sign into the Netscaler web portal and authenticate with their domain (LDAP) credentials. Upon successful login, the user is required to enter a passcode/one time password that they would receive from an SMS message or ideally a code using an authenticator app (Microsoft or Google authentication app for example.) Once the user enters the one time password, the user can access the VPN or ICA portal.

When researching what is evolved to enable this, it looks like a RADIUS server is required. I do have a Windows Server 2016 RADIUS server, but it doesn't seem to support what I'm looking for, unless Microsoft's terminology is different. I've opened a case with Citrix, but the only thing provide is links to setup RADIUS on the gateway, which I already found before opening the case.

Has anyone been able to accomplish this? Thank you for your time.
Hello.  Still struggling to switch StoreFront stores and have functional apps after authenticated.  Env is NetScaler, StoreFront, XenApp 6.5 (Current), to Netscaler, StoreFront, XenApp 7.15 (Which works until switching to default store)

In StoreFront_NetscalerGateway_UsedbySt.png
What is setting this function "Used by Stores" within StoreFront?  Is this what is actually be used as it references the STA's.  When switching the Default WebSite/Store within StoreFront this is not changing.  If this is needed, how is it set?

Thanks in advance.
I need to upgrade netscaler firmware to address CVE-2019-19781.
Citrix have following 2 links for firmware download:-
Which link should I use to download the package?
These are virtual appliance on ESXi.

1. One Netscaler current firmware is NS10.5: Build 55.8007.e.nc.
It has following features enabled:-        
 Feature                        Acronym              Status
-------                        -------              ------
 Load Balancing                 LB                   ON
 Content Switching              CS                   ON
 SSL Offloading                 SSL                  ON
 Rewrite                        REWRITE              ON
 Responder                      RESPONDER            ON
 AppFlow                        AppFlow              ON
Shoudl I download the "Netscaler Gateway 10.5.e" frimware for it from the https://www.citrix.com/downloads/citrix-gateway/ URL?
If I choose this one then the latest one is from Sep 25, 2017 which won't cover this CVE.

If I choose the "Netscaler Gateway 10.5" frimware then the latest is Jan 24, 2020 which shoudl cover this CVE.

If I choose the "Netscaler ADC release 10.5" frimware/virtual appliance for it from the https://www.citrix.com/downloads/citrix-adc/ URL then the latest is from Jan 24, 2020 which should cover this CVE.
Which one shoudl I choose?

2. Another netscaler has firmware - NS12.1: Build …
Hello.  Env:  Netscaler MPX9700, 11.1, Storefront 3.15 (On Windows 2012R2) - 2 Stores.  XenApp 6.5 (1 store) & XenApp 7.15 (2nd Store).

I have switched my Secondary Store in StoreFront 3.15 to be the primary store, so want Netscaler/Storefront to use XenApp 7.15 Store as its primary.  

In Netscaler, I updated the Netscaler VIP and the StoreFront VIP (Under Traffic Mgmt) to use the existing IP set in DNS.  I am able to authenticate to either store.  However; when launching an application in either store, I receive the following errors.  (Attached).  What I don't understand is why this would occur?    I can put the IP's back and swap the default websites on Storefront and all works as expected.  Additionally this poses concern if another store was introduced or new IP's required for whatever reason.  Since it's getting authenticated and attempts to launch the app which sometimes registers in Director as a timeout failure, I'm confused as to where the communication is breaking on the way back and why that would be different?

I would simply change DNS however; two reasons I don't want to do that.  #1 - If I do that without understanding what is happening here, will I ever be able to get rid of the secondary store?  Secondly, we have already distributed the externally facing VIP's and some clients have already updated there whitelists.

Thoughts?  Thanks in advance.
From Citrix NetScaler Enterprise VPX 1000, where can we get the information to which SF server user is connected to?
I have 2 Citrix StoreFront servers.
Citrix 7.15 and 6.5 Environments.
Citrix NetScaler (ADC) VPX GSLB configuration step-by-step guide or document available?
I would like to do a POC on the latest 13.1 version.
Please share any links/docs.
Especially, I am looking for the prerequisites list.
Hello.  Behind our Netscaler's, We have StoreFront 3.15 running on Windows 2012 R2 Servers.  This was setup with two stores, one to point to the XenApp 6.5 environment and one to point to the new XenApp 7.15 environment.  

So on the Netscaler, there was a new VIP configured for the secondary store.

The setup is nearly complete on the secondary (XenApp 7.15) environment and need to switch the main URL for StoreFront to the secondary store.  What are the steps to switch to not break the store setup and avoid or have minimal downtime during the switch.

I would assume I also need to update the Virtual Server in the Netscaler to point to the new farm.

In other words, for users, I don't want to give them a new URL space, I want them to continue using the same URL.

When this was originally configured, this was presented at some point we'd need to switch.

So just want to throw this out there to determine what the steps are.

Thanks in advance.
Trying to find a document to secure the Citrix Director when you have multiple Delivery Controllers when my workstation crashed.    Sad part is I was pretty far into this, but can't find the document again _ my bad for not marking it.  I have already setup the Virtual server and server group on the Netscaler.  However; I need to do the last piece to do the redirect to secure this so I can point to the VIP for management.

Basically, I am trying to publish the VIP in DNS to access Citrix Director from a published app so I don't need to publish each individual one and this to be https and not http.

Any thoughts on where this document is?  I can't believe I can't find it.  

Thanks in advance.
configured a new global set of IPs (for failover purpose) for my corporate iphones to sync their mail through. we use airwatch as our MDM solution. we have our european and US ips load balanced using netscalers.

The problem is when we have our phones connected to an outside network such as Verizon it works perfectly but when i am connected to an internal network such as my office or home network it does sync mail, it just hangs. As soon as i turn off the wireless on the iphone it syncs! Very very odd...

any ideas?
Citrix ADC VPX 1000 Management CPU always using 100%. As per the below carlstalhood article, we can change CPU Yield to YES from Default. But this change required VPX 200 and lower only. If I do the same change on VPX 1000, is it effective? or is it hamper VPX performance? Please suggest.

NetScaler 12 packet engine consumes 100% of the hypervisor CPU. VPX 200 and lower only have one packet engine, so it’s probably consuming around 50% CPU.
Citrix ADC VPX packet engine consumes 100% of the hypervisor CPU. VPX 200 and lower only have one packet engine, so it’s probably consuming around 50% CPU.

https://support.citrix.com/article/CTX229555 -- is also recommending the same setting change. But not given any supported VPX Version.
Citrix ADC (NetScaler) 12.1, how can I get to know, who did the last reboot in the NS VPX?
From NS VPX console or any Putty commands, please share.
We are running Netscaler MPX9700 FIPS devices (11.1.57) with StoreFront to access our XenApp 6.5 and new XenApp 7.15 environments.  I have found recently that our Mac Users are getting the following message "You have not chosen to trust "GeoTrust TLS RSA CA G1", the issuer of the server's security certificate" when trying to launch a published app.  PC users are not having this issue with Chrome, Internet Explorer or Firefox.  MAC users on the other hand see this issue if using Chrome.  They are using version 1912 of Citrix Workspace.  

The Mac users are able to get around this message by installing the certificates in their browser.  From reading, this is something I need to address on the Netscaler rather than users having to address something on their side.  I believe our PC users will receive the same message when they move to a newer Workspace client.  We are currently using Receiver 14.12 on the PC side.

I'm looking for more information as the Certs on the Netscaler are not showing a missing path and can't determine what is missing.

Thanks for any help to point us in the right direction.
Hello.  We are using Netscaler with StoreFront 3.15 pointing to a XenApp 7.15.  Since we no longer have the option for a list of apps and have to use the grid, wondering if there is a way to create additional folders within a Category to help with organization?


Thanks in advance.
Hello.  I've been fighting with my new Netscaler ( - Netscaler is a MPX9700 FIPS)/XenApp 7.15 (Windows 2016) environment a bit.  I am able to successfully get to the StoreFront site directly.  If I try to go through the Netscaler Gateway, I get a 'Cannot complete your request' error.

In troubleshooting, determined we also need to change the port for the acting STA's (Delivery Controller's) to use port 8080 instead of port 80.

I am able to telnet from StoreFront to the Delivery Controller's on port 8080.
I am able to telnet from the Netscaler to the Delivery Controller's on port 8080.
I have verified that the Delivery Controller's are listening on port 8080 by doing a netstat -t.

However - within the Netscaler console, Within the Netscaler Gateway under VPN Virtual Server STA Server Binding, this shows the connections as down.  I have included the port in the path.



Any thoughts on what I am missing?

Thanks in advance.
Citrix NetScaler 12.1 Error: Please ensure Citrix ADC is Synced  to NTP time
I have configured native OTP integrated with Netscaler gateway, hereafter entering the user credentials am able to add my device name, after entering the code by Scanning the QR scanner throwing an error like this... The time between Netscaler, AD and user device effect.
We are changing our certificate authority to SHA2 from SHA1.
Cert authority server has already been setup and now we are changing the crets for member servers and appliances.
As a result we need to change the certificates on our RSA authentication manager from SHA1 to SHA2.
What are the things to keep in mind before changing these certificates?
Do the end user computers need to trust the root CA for these certs?
And if RSA is used for 2 factor authentication on Citrix netscaler then does Citrix netscaler need to trust the root CA as well?

I found the following article to replace the web tier cert:-

Do I also need to change the console and application trust certificates to SHA2?
Citrix NetScaler 11.1 build 53. Is there any way to do reporting for NS Bandwith consumption?
I don't have NS MAS. Not using for Citrix XenApp.  We have some apps to load-balance. We have 10 VIPS for this.
I'm looking for some  assistance with nFactor; where the requirement is to configure the Two Factor for two different Tokens "RSA" & "DUO"; the security group will define the model of Token
First Authentication: LDAP
Second Authentication: RSA if a user is a member of "Citrix-RSA"  Security Group and DUO if the user is a member of "Citrix-DUO"
i have traffic coming from outside world to watchguard  firewall to citrix netscaler which goes to internal  asa firewall  and then to internal network.

our citrix netscaler also has the  same certificate for sts.domain.com ( service communication certificate)  which is being hosted on our internal ADfs server ( windows server R2)

we dont have ADFS proxy server as of now

recently we had password spray attack on our internal ADFS server

and we could not determine source IP on our internal ADFS server

i wanted to know following:

1) i read in articles  that windows server 2012 r2 has extranet lock out feature and adfs 2016 server also has extranet lock out feature so is there any difference between the 2 as far as
protection from password spray attack is concerned.

im the scenario i explained regarding traffic coming from outside to watchguard firewall - netscaler- asa firewall, where should i place WAP server and how it can help in mitigating password spray attack

are there any good tutorials for upgrading windows server 2012 to 2016 adfs server and how proxy adfs should be configured

we have mailboxes in 365 and ad accounts are synced through aad sync to azure AD.

i came to know from Microsoft that messages are being redirected from office 365 to internal ADFS sever and it is not authenticating , so what other steps i should take

to protect from spray attack just proxy ADFS server is sufficient or some conditional policy should be applied …

We have a site that was working and being accessed externally and internally via the web. The vendor upgraded the system by creating a parallel system. The site is no longer working. The odd thing is there is an app and that part is working but access to the sire via web\browser internally or externally is not working. The site is assigned a dns name as an example metro.companyname.com. We point that to a netscaler (called citrix support and they said netscaler is passing traffic fine) the netscaler then fowards onto the iis server but nothing. However there is an app when we put in metro.companyname.com/site_name, the app is able to connect and has all the functions. Explain may be a confusing, is there any suggestions or questions I can answer to help point in the right direction. We compared the old iis server to the new one an cannot find a difference that is causing an issue. Any help, much appreciated. Thanks,






NetScaler is the industry’s leading web and application delivery controller that maximizes the performance and availability of all applications and data, and also provide secure remote access to any application from any device type. NetScaler products are easily selected by determining the edition providing functional needs and the appropriate physical or virtual appliance platform to fulfill performance needs.